Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The most severe of the browser bugs reported are four Chakra scripting engine memory corruption vulnerabilities (CVE-2018-8280, CVE-2018-8286, CVE-2018-8290, CVE-2018-8294). Each are remote code execution vulnerabilities tied to the JScript engine (Chakra), developed by Microsoft for its 32-bit version of the Internet Explorer. The bugs impact Microsoft’s Edge browser, in this instance.

“The 16 CVEs covering browsers should be prioritized for workstation type devices, meaning any system where users are commonly accessing the public internet through a browser or checking email. This includes multi-user servers that are used as remote desktops for users,” wrote Jimmy Graham, director of product management at Qualys.

Five bugs are tied to Microsoft Edge. One is a spoofing vulnerability (CVE-2018-8278) that exists when Microsoft Edge improperly handles specific HTML content, which could trick users into believing that they were visiting a legitimate website. “The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services,” wrote Microsoft.

Another bug (CVE-2018-8304) is a Windows DNSAPI denial of service vulnerability. DNSAPI is a dynamic-link library file in Windows. In this context it contains functions used by a system’s domain name system (DNS) in a client’s application program interface.

“While not a severe as last month’s wormable CVE-2018-8225, this bug could allow remote attackers to shut down a DNS server through merely a malformed DNS response. Again, that’s better than code execution, but it’s never good when an adversary can remotely shut down a part of your critical infrastructure,” commented ZDI researchers in their Patch Tuesday analysis.

Microsoft’s Office was also patched to prevent emails from containing untrusted TrueType fonts that could be used to compromise a targeted system.

The Office tampering vulnerability (CVE-2018-8310) “exists when Microsoft Outlook does not properly handle specific attachment types when rendering HTML emails. An attacker could exploit the vulnerability by sending a specially crafted email and attachment to a victim, or by hosting a malicious .eml file on a web server,” Microsoft wrote. EML files are a file format developed by Microsoft to archive emails while at the same time preserving the original HTML formatting and header.

Other Office bugs include those impacting SharePoint and Skype for Business.

Microsoft also patched a MSR JavaScript cryptography library security feature bypass vulnerability. In short, the bug allows an attacker to generate signatures that mimic the entity associated with a public/private key pair. “While this doesn’t appear to circumvent authentic public/private key pairs, it likely can be used by malware authors to make their attacks appear genuine,” wrote ZDI.

Discussion

I am so glad MS decided to NOT support Vista anymore. I few months before they dumped us altogether I was getting the blue screen of death 3 or 4 times a week (or it would just shut itself down). Since they dumped us Vista users (YAY) my computer is running just fine!

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.